Link List

Sponsored by..

Tuesday, 21 January 2014

Something evil on 5.254.96.240 and 185.5.55.75

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.

URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.

The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:

The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.